Chapter 7. Address Translation

Transcription

1 Chapter 7. Address Translation This chapter describes NetDefendOS address translation capabilities. Dynamic Network Address Translation, page 204 NAT Pools, page 207 Static Address Translation, page 210 The ability of NetDefendOS to change the IP address of packets as they pass through a D-Link Firewall is known as address translation. NetDefendOS supports two types of translation: Dynamic Network Address Translation (NAT) and Static Address Translation (SAT). Both translations are policy-based meaning that they can be applied to specific traffic based on source/destination network/interface as well as service. Two types of IP rules, NAT rules and SAT rules, are used to specify address translation within the IP rule set. There are two main reasons for employing address translation: Functionality. Perhaps you use private IP addresses on your protected network and your protected hosts to have access to the Internet. This is where dynamic address translation may be used. You might also have servers with private IP addresses that need to be publicly accessible. This is where static address translation may be the solution. Security. Address translation does not, in itself provide any greater level of security, but it can make it more difficult for intruders to understand the exact layout of the protected network and which machines are susceptible to attack. In the worst case scenario, employing address translation will mean that an attack will take longer, which will also make it more visible in NetDefendOS's log files. In the best-case scenario, an intruder will just give up. This section describes dynamic as well as static address translation, how they work and what they can and cannot do. It also provides examples of configuring NAT and SAT rules Dynamic Network Address Translation Dynamic Network Address Translation (NAT) provides a mechanism for translating original source IP addresses to a different addresses. The most common usage for NAT is when using private IP addresses in an internal network and it is desirable that outbound connections appear as though they originate from the D-Link Firewall itself instead of the internal addresses. NAT is a many-to-one translation, meaning that each NAT rule will translate several source IP addresses into a single source IP address. To maintain session state information, each connection from dynamically translated addresses must use a unique port number and IP address combination as its sender. Therefore, NetDefendOS will perform an automatic translation of the source port number as well. The source port used will be the next free port, usually one above This means that there is a limitation of about simultaneous connections using the same translated source IP address. NetDefendOS supports two strategies for how to translate the source address: Use Interface Address Specify Sender Address When a new connection is established, the routing table is consulted to resolve the egress interface for that connection. The IP address of that resolved interface is then being used as the new source IP address when NetDefendOS performs the address translation. A specific IP address can be specified as the new source IP address. The specified IP address needs to have a matching ARP 204

2 7.1. Dynamic Network Address Translation Chapter 7. Address Translation Publish entry configured for the egress interface. Otherwise, the return traffic will not be received by the D-Link Firewall. The following example illustrates how NAT is applied in practice on a new connection: 1. The sender, for example , sends a packet from a dynamically assigned port, for instance, port 1038, to a server, for example port :1038 => :80 2. In this example, the Use Interface Address option is used, and we will use as the interface address. In addition, the source port is changed to a free port on the D-Link Firewall, usually one above In this example, we will use port The packet is then sent to its destination :32789 => :80 3. The recipient server then processes the packet and sends its response :80 => : NetDefendOS receives the packet and compares it to its list of open connections. Once it finds the connection in question, it restores the original address and forwards the packet :80 => : The original sender receives the response. Example 7.1. Adding a NAT rule To add a NAT rule that will perform address translation for all HTTP traffic originating from the internal network, follow the steps outlined below: CLI gw-world:/> add IPRule Action=NAT Service=http SourceInterface=lan SourceNetwork=lannet DestinationInterface=any DestinationNetwork=all-nets Name=NAT_HTTP NATAction=UseInterfaceAddress Web Interface 1. Go to Rules > IP Rules > Add > IPRule 2. Specify a suitable name for the rule, eg. NAT_HTTP 3. Now enter: Action: NAT Service: http Source Interface: lan Source Network: lannet Destination Interface: any Destination Network: all-nets 4. Under the NAT tab, make sure that the Use Interface Address option is selected 5. Click OK 205

3 7.1. Dynamic Network Address Translation Chapter 7. Address Translation Protocols Handled by NAT Dynamic address translation is able to deal with the TCP, UDP and ICMP protocols with a good level of functionality since the algorithm knows which values can be adjusted to become unique in the three protocols. For other IP level protocols, unique connections are identified by their sender addresses, destination addresses and protocol numbers. This means that: An internal machine can communicate with several external servers using the same IP protocol. An internal machine can communicate with several external servers using different IP protocols. Several internal machines can communicate with different external server using the same IP protocol. Several internal machines can communicate with the same server using different IP protocols. Several internal machines can not communicate with the same external server using the same IP protocol. Note These restrictions apply only to IP level protocols other than TCP, UDP and ICMP, such as OSPF, L2TP, etc. They do not apply to "protocols" transported by TCP, UDP and ICMP such as telnet, FTP, HTTP, SMTP, etc. NetDefendOS can alter port number information in the TCP and UDP headers to make each connection unique, even though such connections have had their sender addresses translated to the same IP. Some protocols, regardless of the method of transportation used, can cause problems during address translation. 206

4 7.2. NAT Pools Chapter 7. Address Translation 7.2. NAT Pools Overview As discussed in Section 7.1, Dynamic Network Address Translation, NAT provides a way to have multiple internal clients and hosts with unique private internal IP addresses communicate to remote hosts through a single external public IP address. When multiple public external IP addresses are available then a NAT Pool object can be used to allocate new connections across these public IP addresses. NAT Pools are usually employed when there is a requirement for huge numbers of unique port connections. The NetDefendOS Port Manager has a limit of approximately 65,000 connections for a unique combination of source and destination IP addresses. Where large number of internal clients are using applications such as file sharing software, very large numbers of ports can be required for each client. The situation can be similarly demanding if a large number of clients are accessing the Internet through a proxy-server. The port number limitation is overcome by allocating extra external IP addresses for Internet access and using NAT Pools to allocate new connections across them. Types of NAT Pools A NAT Pool can be one of three types, each allocating new connections in a different way: Stateful Stateless Fixed These three types are discussed below. Stateful NAT Pools When the Stateful option is selected, NetDefendOS allocates a new connection to the external IP address that currently has the least number of connections routed through it with the assumption that it is the least loaded. NetDefendOS keeps a record in memory of all such connections. Subsequent connections involving the same internal client/host will then use the same external IP address. The advantage of the stateful approach is that it can balance connections across several external ISP links while ensuring that an external host will always communicate back to the same IP address which will be essential with protocols such as HTTP when cookies are involved. The disadvantage is the extra memory required by NetDefendOS to track the usage in its state table and the small processing overhead involved in processing a new connection. To make sure that the state table does not contain dead entries for communications that are no longer active, a State Keepalive time can be specified. This time is the number of seconds of inactivity that must occur before a state in the state table is removed. After this period NetDefendOS assumes no more communication will originate from the associated internal host. Once the state is removed then subsequent communication from the host will result in a new state table entry and may be allocated to a different extternal IP address in the NAT Pool. The state table itself takes up memory so it is possible to limit its size using the Max States value in a NAT Pool object. The state table is not allocated all at once but is incremented in size as needed. One entry in the state table tracks all the connections for a single host behind the D-Link Firewall no matter which external host the connection concerns. If Max States is reached then an existing state with the longest idle time is replaced. If all states in the table is active then the new connection is dropped. As a rule of thumb, the Max States value should be at least the number of local hosts or clients that will connect to the Internet. There is only one state table per NAT Pool so that if a single NAT Pool is re-used in multiple NAT IP rules they share the same state table. 207

5 7.2. NAT Pools Chapter 7. Address Translation Stateless NAT Pools The Stateless option means that no state table is maintained and the external IP address chosen for each new connection is the one that has the least connections already allocated to it. This means two connections between one internal host to the same external host may use two different external IP addresses. The advantage of a Stateless NAT Pool is that there is good spreading of new connections between external IP addresses with no requirement for memory allocated to a state table and there is less processing time involved in setting up each new connection. The disadvantage is that it is not suitable for communication that requires a constant external IP address. Fixed NAT Pools The Fixed option means that each internal client or host is allocated one of the external IP addresses through a hashing algorithm. Although the administrator has no control over which of the external connections will be used, this scheme ensures that the a particular internal client or host will always communicate through the same external IP address. The Fixed option has the advantage of not requiring memory for a state table and providing very fast processing for new connection establishment. Although explicit load balancing is not part of this option, there should be spreading of the load across the external connections due to the random nature of the allocating algorithm. IP Pool Usage When allocating external IP addresses to a NAT Pool it is not necessary to explicitly state these. Instead a NetDefendOS IP Pool object can be selected. IP Pools gather collections of IP addresses automatically through DHCP and can therefore supply external IP addresses automatically to a NAT Pool. See Section 5.5, IP Pools for more details on this topic. Proxy ARP Usage Where an external router sends ARP queries to the D-Link Firewall to resolve external IP addresses included in a NAT Pool, NetDefendOS will need to send the correct ARP replies for this resolution to take place through its Proxy ARP mechanism so the external router can correctly build its routing table. By default, the administrator must specify in NAT Pool setup which interfaces will be used by NAT pools. The option exists however to enable Proxy ARP for a NAT Pool on all interfaces but this can cause problems sometimes by possibly creating routes to interfaces on which packets shouldn't arrive. It is therefore recommended that the interface(s) to be used for the NAT Pool Proxy ARP mechanism are explicitly specified Using NAT Pools NAT Pools are used in conjunction with a normal NAT IP rule. When defining a NAT rule, the dialog includes the option to select a NAT Pool to use with the rule. This association brings the NAT Pool into use. Example 7.2. Using NAT Pools This example creates a NAT pool which will be applied the external IP address range to and then uses it in a NAT IP rule for HTTP traffic on the Wan interface. Web Interface A. First create an object in the address book for the address range. 1. Go to Objects > Address Book > Add > IP address 208

7 7.3. Static Address Translation Chapter 7. Address Translation 7.3. Static Address Translation NetDefendOS can translate entire ranges of IP addresses and/or ports. Such translations are transpositions, that is, each address or port is mapped to a corresponding address or port in the new range, rather than translating them all to the same address or port. This functionality is known as Static Address Translation (SAT). Unlike NAT, SAT requires more than just a single SAT rule to function. NetDefendOS does not terminate the rule set lookup upon finding a matching SAT rule. Instead, it continues to search for a matching Allow, NAT or FwdFast rule. Only when it has found such a matching rule does NetDefendOS execute the SAT rule Translation of a Single IP Address (1:1) The simplest form of SAT usage is translation of a single IP address. A very common scenario for this is to enable external users to access a protected server having a private address. This scenario is also sometimes referred to as a Virtual IP or Virtual Server in some other manufacturer's products. Example 7.3. Enabling Traffic to a Protected Web Server in a DMZ In this example, we will create a SAT policy that will translate and allow connections from the Internet to a web server located in a DMZ. The D-Link Firewall is connected to the Internet using the wan interface with address object wan_ip (defined as ) as IP address. The web server has the IP address and is reachable through the dmz interface. CLI First create a SAT rule: gw-world:/> add IPRule Action=SAT Service=http SourceInterface=any SourceNetwork=all-nets DestinationInterface=core DestinationNetwork=wan_ip SATTranslate=DestinationIP SATTranslateToIP= Name=SAT_HTTP_To_DMZ Then create a corresponding Allow rule: gw-world:/> add IPRule action=allow Service=http SourceInterface=any SourceNetwork=all-nets DestinationInterface=core DestinationNetwork=wan_ip Name=Allow_HTTP_To_DMZ Web Interface First create a SAT rule: 1. Go to Rules > IP Rules > Add > IPRule 2. Specify a suitable name for the rule, eg. SAT_HTTP_To_DMZ 3. Now enter: Action: SAT Service: http Source Interface: any Source Network: all-nets Destination Interface: core Destination Network: wan_ip 4. Under the SAT tab, make sure that the Destination IP Address option is selected 5. In the New IP Address textbox, enter Click OK 210

8 Translation of a Single IP Address (1:1) Chapter 7. Address Translation Then create a corresponding Allow rule: 1. Go to Rules > IP Rules > Add > IPRule 2. Specify a suitable name for the rule, eg. Allow_HTTP_To_DMZ 3. Now enter: Action: Allow Service: http Source Interface: any Source Network: all-nets Destination Interface: core Destination Network: wan_ip 4. Under the Service tab, select http in the Pre-defined list 5. Click OK The example results in the following two rules in the rule set: 1 SAT any all-nets core wan_ip http SETDEST Allow any all-nets core wan_ip http These two rules allow us to access the web server via the D-Link Firewall's external IP address. Rule 1 states that address translation can take place if the connection has been permitted, and rule 2 permits the connection. Of course, we also need a rule that allows internal machines to be dynamically address translated to the Internet. In this example, we use a rule that permits everything from the internal network to access the Internet via NAT hide: 3 NAT lan lannet any all-nets All Now, what is wrong with this rule set? If we assume that we want to implement address translation for reasons of security as well as functionality, we discover that this rule set makes our internal addresses visible to machines in the DMZ. When internal machines connect to wan_ip port 80, they will be allowed to proceed by rule 2 as it matches that communication. From an internal perspective, all machines in the DMZ should be regarded as any other Internet-connected servers; we do not trust them, which is the reason for locating them in a DMZ in the first place. There are two possible solutions: 1. You can change rule 2 so that it only applies to external traffic. 2. You can swap rules 2 and 3 so that the NAT rule is carried out for internal traffic before the Allow rule matches. Which of these two options is the best? For this configuration, it makes no difference. Both solutions work just as well. However, suppose that we use another interface, ext2, in the D-Link Firewall and connect it to another network, perhaps to that of a neighboring company so that they can communicate much faster with our servers. If option 1 was selected, the rule set must be adjusted thus: 1 SAT any all-nets core wan_ip http SETDEST Allow wan all-nets core wan_ip http 211

9 Translation of a Single IP Address (1:1) Chapter 7. Address Translation 3 Allow ext2 ext2net core wan_ip http 4 NAT lan lannet any all-nets All This increases the number of rules for each interface allowed to communicate with the web server. However, the rule ordering is unimportant, which may help avoid errors. If option 2 was selected, the rule set must be adjusted thus: 1 SAT any all-nets core wan_ip http SETDEST NAT lan lannet any all-nets All 3 Allow any all-nets core wan_ip http This means that the number of rules does not need to be increased. This is good as long as all interfaces can be entrusted to communicate with the web server. However, if, at a later point, you add an interface that cannot be entrusted to communicate with the web server, separate Drop rules would have to be placed before the rule granting all machines access to the web server. Determining the best course of action must be done on a case-by-case basis, taking all circumstances into account. Example 7.4. Enabling Traffic to a Web Server on an Internal Network The example we have decided to use is that of a web server with a private address located on an internal network. From a security standpoint, this approach is wrong, as web servers are very vulnerable to attack and should therefore be located in a DMZ. However, due to its simplicity, we have chosen to use this model in our example. In order for external users to access the web server, they must be able to contact it using a public address. In this example, we have chosen to translate port 80 on the D-Link Firewall's external address to port 80 on the web server: 1 SAT any all-nets core wan_ip http SETDEST wwwsrv 80 2 Allow any all-nets core wan_ip http These two rules allow us to access the web server via the D-Link Firewall's external IP address. Rule 1 states that address translation can take place if the connection has been permitted, and rule 2 permits the connection. Of course, we also need a rule that allows internal machines to be dynamically address translated to the Internet. In this example, we use a rule that permits everything from the internal network to access the Internet via NAT hide: 3 NAT lan lannet any all-nets All The problem with this rule set is that it will not work at all for traffic from the internal network. In order to illustrate exactly what happens, we use the following IP addresses: wan_ip ( ): a public IP address lan_ip ( ): the D-Link Firewall's private internal IP address wwwsrv ( ): the web servers private IP address PC1 ( ): a machine with a private IP address PC1 sends a packet to wan_ip to reach " :1038 => :80 212

10 Translation of Multiple IP Addresses (M:N) Chapter 7. Address Translation NetDefendOS translates the address in accordance with rule 1 and forwards the packet in accordance with rule 2: :1038 => :80 wwwsrv processes the packet and replies: :80 => :1038 This reply arrives directly to PC1 without passing through the D-Link Firewall. This causes problems. The reason this will not work is because PC1 expects a reply from :80, not :80. The unexpected reply is discarded and PC1 continues to wait for a response from :80, which will never arrive. Making a minor change to the rule set in the same way as described above, will solve the problem. In this example, for no particular reason, we choose to use option 2: 1 SAT any all-nets core wan_ip http SETDEST wwwsrv 80 2 NAT lan lannet any all-nets All 3 Allow any all-nets core wan_ip http PC1 sends a packet to wan_ip to reach " :1038 => :80 NetDefendOS address translates this statically in accordance with rule 1 and dynamically in accordance with rule 2: :32789 => :80 wwwsrv processes the packet and replies: :80 => :32789 The reply arrives and both address translations are restored: :80 => :1038 This way, the reply arrives at PC1 from the expected address. Another possible solution to this problem is to allow internal clients to speak directly to , which would completely avoid all the problems associated with address translation. However, this is not always practical Translation of Multiple IP Addresses (M:N) A single SAT rule can be used to translate an entire range of IP addresses. In this case, the result is a transposition where the first original IP address will be translated to the first IP address in the translation list and so on. For instance, a SAT policy specifying that connections to the /29 network should be translated to will result in transpositions as per the table below: Original Address Translated Address In other words: Attempts to communicate with will result in a connection to Attempts to communicate with will result in a connection to

11 Translation of Multiple IP Addresses (M:N) Chapter 7. Address Translation An example of when this is useful is when having several protected servers in a DMZ, and where each server should be accessible using a unique public IP address. Example 7.5. Translating Traffic to Multiple Protected Web Servers In this example, we will create a SAT policy that will translate and allow connections from the Internet to five web servers located in a DMZ. The D-Link Firewall is connected to the Internet using the wan interface, and the public IP addresses to use are in the range of to The web servers have IP addresses in the range to , and they are reachable through the dmz interface. To accomplish the task, the following steps need to be performed: Define an address object containing the public IP addresses. Define another address object for the base of the web server IP addresses. Publish the public IP addresses on the wan interface using the ARP publish mechanism. Create a SAT rule that will perform the translation. Create an Allow rule that will permit the incoming HTTP connections. CLI Create an address object for the public IP addresses: gw-world:/> add Address IP4Address wwwsrv_pub Address= Now, create another object for the base of the web server IP addresses: gw-world:/> add Address IP4Address wwwsrv_priv_base Address= Publish the public IP addresses on the wan interface using ARP publish. One ARP item is needed for every IP address: gw-world:/> add ARP Interface=wan IP= mode=publish Repeat for all the five public IP addresses. Create a SAT rule for the translation: gw-world:/> add IPRule Action=SAT Service=http SourceInterface=any SourceNetwork=all-nets DestinationInterface=core DestinationNetwork=wwwsrv_pub SATTranslateToIP=wwwsrv_priv_base SATTranslate=DestinationIP Finally, create a corresponding Allow Rule: gw-world:/> add IPRule Action=Allow Service=http SourceInterface=any SourceNetwork=all-nets DestinationInterface=core DestinationNetwork=wwwsrv_pub Web Interface Create an address object for the public IP address: 1. Go to Objects > Address Book > Add > IP address 2. Specify a suitable name for the object, eg. wwwsrv_pub 3. Enter as the IP Address 4. Click OK Now, create another address object for the base of the web server IP addresses: 1. Go to Objects > Address Book > Add > IP address 2. Specify a suitable name for the object, eg. wwwsrv_priv_base 3. Enter as the IP Address 214

13 Port Translation Chapter 7. Address Translation NetDefendOS can be used to translate ranges and/or groups into just one IP address. 1 SAT any all-nets core , http SETDEST all-to-one This rule produces a N:1 translation of all addresses in the group (the range and ) to the IP Attempts to communicate with , port 80, will result in a connection to Attempts to communicate with , port 80, will result in a connection to Note When all-nets is the destination, All-to-One mapping is always done Port Translation Port Translation, also known as Port Address Translation (PAT), can be used to modify the source or destination port. 1 SAT any all-nets core wwwsrv_pub TCP SETDEST This rule produces a 1:1 translation of all ports in the range to the range Attempts to communicate with the web servers public address, port 80, will result in a connection to the web servers private address, port Attempts to communicate with the web servers public address, port 84, will result in a connection to the web servers private address, port Note In order to create a SAT Rule that allows port transation, a Custom Service must be used with the SAT Rule Protocols handled by SAT Generally, static address translation can handle all protocols that allow address translation to take place. However, there are protocols that can only be translated in special cases, and other protocols that simply cannot be translated at all. Protocols that are impossible to translate using SAT are most likely also impossible to translate using NAT. Reasons for this include: The protocol cryptographically requires that the addresses are unaltered; this applies to many VPN protocols. The protocol embeds its IP addresses inside the TCP or UDP level data, and subsequently requires that, in some way or another, the addresses visible on IP level are the same as those embedded in the data. Examples of this include FTP and logons to NT domains via NetBIOS. Either party is attempting to open new dynamic connections to the addresses visible to that party. In some cases, this can be resolved by modifying the application or the firewall 216

14 Multiple SAT rule matches Chapter 7. Address Translation configuration. There is no definitive list of what protocols that can or cannot be address translated. A general rule is that VPN protocols cannot usually be translated. In addition, protocols that open secondary connections in addition to the initial connection can be difficult to translate. Some protocols that are difficult to address translate may be handled by specially written algorithms designed to read and/or alter application data. These are commonly referred to as Application Layer Gateways or Application Layer Filters. NetDefendOS supports a number of such Application Layer Gateways and for more information please see Section 6.2, Application Layer Gateways Multiple SAT rule matches NetDefendOS does not terminate the rule set lookup upon finding a matching SAT rule. Instead, it continues to search for a matching Allow, NAT or FwdFast rule. Only when it has found such a matching rule does the firewall execute the static address translation. Despite this, the first matching SAT rule found for each address is the one that will be carried out. "Each address" above means that two SAT rules can be in effect at the same time on the same connection, provided that one is translating the sender address whilst the other is translating the destination address. 1 SAT any all-nets core wwwsrv_pub TCP SETDEST SAT lan lannet all-nets Standard SETSRC pubnet The two above rules may both be carried out concurrently on the same connection. In this instance, internal sender addresses will be translated to addresses in the "pubnet" in a 1:1 relation. In addition, if anyone tries to connect to the public address of the web server, the destination address will be changed to its private address. 1 SAT lan lannet wwwsrv_pub TCP SETDEST intrasrv SAT any all-nets wwwsrv_pub TCP SETDEST wwwsrv-priv 1080 In this instance, both rules are set to translate the destination address, meaning that only one of them will be carried out. If an attempt is made internally to communicate with the web servers public address, it will instead be redirected to an intranet server. If any other attempt is made to communicate with the web servers public address, it will be redirected to the private address of the publicly accessible web server. Again, note that the above rules require a matching Allow rule at a later point in the rule set in order to work SAT and FwdFast Rules It is possible to employ static address translation in conjunction with FwdFast rules, although return traffic must be explicitly granted and translated. The following rules make up a working example of static address translation using FwdFast rules to a web server located on an internal network: 1 SAT any all-nets core wan_ip http SETDEST wwwsrv 80 2 SAT lan wwwsrv any all-nets 80 -> All SETSRC wan_ip 80 3 FwdFast any all-nets core wan_ip http 4 FwdFast lan wwwsrv any all-nets 80 -> All We add a NAT rule to allow connections from the internal network to the Internet: 217

15 SAT and FwdFast Rules Chapter 7. Address Translation 5 NAT lan lannet any all-nets All What happens now? External traffic to wan_ip:80 will match rules 1 and 3, and will be sent to wwwsrv. Correct. Return traffic from wwwsrv:80 will match rules 2 and 4, and will appear to be sent from wan_ip:80. Correct. Internal traffic to wan_ip:80 will match rules 1 and 3, and will be sent to wwwsrv. Almost correct; the packets will arrive at wwwsrv, but: Return traffic from wwwsrv:80 to internal machines will be sent directly to the machines themselves. This will not work, as the packets will be interpreted as coming from the wrong address. We will now try moving the NAT rule between the SAT and FwdFast rules: 1 SAT any all-nets core wan_ip http SETDEST wwwsrv 80 2 SAT lan wwwsrv any all-nets 80 -> All SETSRC wan_ip 80 3 NAT lan lannet any all-nets All 4 FwdFast any all-nets core wan_ip http 5 FwdFast lan wwwsrv any all-nets 80 -> All What happens now? External traffic to wan_ip:80 will match rules 1 and 4, and will be sent to wwwsrv. Correct. Return traffic from wwwsrv:80 will match rules 2 and 3. The replies will therefore be dynamically address translated. This changes the source port to a completely different port, which will not work. The problem can be solved using the following rule set: 1 SAT any all-nets core wan_ip http SETDEST wwwsrv 80 2 SAT lan wwwsrv any all-nets 80 -> All SETSRC wan_ip 80 3 FwdFast lan wwwsrv any all-nets 80 -> All 4 NAT lan lannet any all-nets All 5 FwdFast lan wwwsrv any all-nets 80 -> All External traffic to wan_ip:80 will match rules 1 and 5, and will be sent to wwwsrv. Return traffic from wwwsrv:80 will match rules 2 and 3. Internal traffic to wan_ip:80 will match rules 1 and 4, and will be sent to wwwsrv. The sender address will be the D-Link Firewall's internal IP address, guaranteeing that return traffic passes through the D-Link Firewall. Return traffic will automatically be handled by the D-Link Firewall's stateful inspection mechanism. 218

How to configure VLAN and route failover This example requires a DFL-1600 or 2500 to be fully implemented. Most settings can however also be used on a DFL-210 or DFL-800. Two tag based VLANs will be created

Firewall Defaults, Public Server Rule, and Secondary WAN IP Address This quick start guide provides the firewall defaults and explains how to configure some basic firewall rules for the ProSafe Wireless-N

Configuration examples for the D-Link NetDefend Firewall series DFL-210/800/1600/2500 Scenario: How to configure WAN failover for two ISPs using policy based routing Last update: 2005-10-20 Overview In

How To - Configure Virtual Host using FQDN How To Configure Virtual Host using FQDN Applicable Version: 10.6.2 onwards Overview Virtual host implementation is based on the Destination NAT concept. Virtual

642 523 Securing Networks with PIX and ASA Course Number: 642 523 Length: 1 Day(s) Course Overview This course is part of the training for the Cisco Certified Security Professional and the Cisco Firewall

Proxy Server, Network Address Translator, Firewall 1 Proxy Server 2 1 Introduction What is a proxy server? Acts on behalf of other clients, and presents requests from other clients to a server. Acts as

Configuration examples for the D-Link NetDefend Firewall series Scenario: How to configure SAT (Port Forwarding) for DMZ server Platform Compatibility: All NetDefend Firewall Series Last update: 2008-03-07

Appendix D: Configuring Firewalls and Network Address Translation The configuration information in this appendix will help the network administrator plan and configure the network architecture for Everserve.

Multi-Homing Security Gateway MH-5000 Quick Installation Guide 1 Before You Begin It s best to use a computer with an Ethernet adapter for configuring the MH-5000. The default IP address for the MH-5000

Smart Tips Enabling WAN Load Balancing Overview Many small businesses today use broadband links such as DSL or Cable, favoring them over the traditional link such as T1/E1 or leased lines because of the

Network Configuration Settings Many small businesses already have an existing firewall device for their local network when they purchase Microsoft Windows Small Business Server 2003. Often, these devices

NAT (Network Address Translation) Introduction NAT (Network Address Translation) is a method of mapping one or more IP addresses and/or IP service ports into different specified values. Two functions of

Firewall August, 2003 1 Firewall and Access Control This product also serves as an Internet firewall, not only does it provide a natural firewall function (Network Address Translation, NAT), but it also

Firewalls and VPNs Principles of Information Security, 5th Edition 1 Learning Objectives Upon completion of this material, you should be able to: Understand firewall technology and the various approaches

CHAPTER 6 Network Address Translation (NAT) 6.1 Introduction NAT (Network Address Translation) is a method of mapping one or more IP addresses and/or service ports into different specified services. It

Internet Security Cornerstones of Security Authenticity the sender (either client or server) of a message is who he, she or it claims to be Privacy the contents of a message are secret and only known to

INTRODUCTION TO FIREWALL SECURITY SESSION 1 Agenda Introduction to Firewalls Types of Firewalls Modes and Deployments Key Features in a Firewall Emerging Trends 2 Printed in USA. What Is a Firewall DMZ

A firewall is a software- or hardware-based network security system that allows or denies network traffic according to a set of rules. Firewalls can be categorized by their location on the network: A network-based

Chapter 10 Firewall Firewalls are devices used to protect a local network from network based security threats while at the same time affording access to the wide area network and the internet. Basically,

Chapter 4 Firewall Protection and Content Filtering This chapter describes how to use the content filtering features of the ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN to protect your network.

FIREWALL AND NAT Lecture 7a COMPSCI 726 Network Defence and Countermeasures Muhammad Rizwan Asghar August 3, 2015 Source of most of slides: University of Twente FIREWALL An integrated collection of security

Configuration examples for the D-Link NetDefend Firewall series DFL-210/800/1600/2500 Scenario: How to configure Bandwidth Management Last update: 2005-10-20 Overview In this document, the notation Objects->Address

Application Description Firewall in front of LAN Different Servers located behind Firewall Firewall to be accessible from Internet Load Balancer to be installed in a TRANSPARENT MODE between Firewall and

Chapter 2 Connecting the FVX538 to the Internet Typically, six steps are required to complete the basic connection of your firewall. Setting up VPN tunnels are covered in Chapter 5, Virtual Private Networking.

How To Understand and Configure Your Network for IntraVUE Summary This document attempts to standardize the methods used to configure Intrauve in situations where there is little or no understanding of

Service Managed Gateway TM Issue 1.3 Date 10 March 2006 Table of contents 1 Introduction... 3 1.1 What is a firewall?... 3 1.2 The benefits of using a firewall... 3 2 How to configure firewall settings

1 Firewall Basics - Introduction to Firewalls - Traditionally, a firewall is defined as any device (or software) used to filter or control the flow of traffic. Firewalls are typically implemented on the

Chapter 15 Firewalls, IDS and IPS Basic Firewall Operation The firewall is a border firewall. It sits at the boundary between the corporate site and the external Internet. A firewall examines each packet

1:1 NAT in ZeroShell Requirements The version of ZeroShell used for writing this document is Release 1.0.beta11. This document does not describe installing ZeroShell, it is assumed that the user already

Application Note Configuring SSL VPN on the Cisco ISA500 Security Appliance This application note describes how to configure SSL VPN on the Cisco ISA500 security appliance. This document includes these

Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding This chapter describes the configuration for the SSL VPN Tunnel Client and for Port Forwarding. When a remote user accesses the SSL VPN

CMPT 471 Networking II Firewalls Janice Regan, 2006-2013 1 Security When is a computer secure When the data and software on the computer are available on demand only to those people who should have access

Chapter 9 Monitoring System Performance This chapter describes the full set of system monitoring features of your ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN. You can be alerted to important

LAB THREE STATIC ROUTING In this lab you will work with four different network topologies. The topology for Parts 1-4 is shown in Figure 3.1. These parts address router configuration on Linux PCs and a

SonicOS Configuring WAN Failover & Load-Balancing Introduction This new feature for SonicOS 2.0 Enhanced gives the user the ability to designate one of the user-assigned interfaces as a Secondary or backup

AlliedWare TM OS How To Configure Some Basic Firewall and VPN Scenarios Introduction This document provides examples that illustrate common configurations for security routers. You may want to make changes